In Data Security, It’s a Numbers Game

In its most recent Cyberthreat Defense Report, CyberEdge Group noted that more than half of business security and IT leaders (52 percent) believe a successful cyber-attack is likely in the coming year, up from 39 percent in 2013.

Given all the news around the high number of large-scale data breaches that befell companies such as The Home Depot, Staples, Anthem Health, and Neiman Marcus in 2014, it’s not surprising. It's also not surprising that many businesses feel helpless to defend against hackers, who, according to the report, managed to work their way into more than 70 percent of business data networks, up from 62 percent in 2013.

While the problem is pervasive, and protecting against it is indeed a challenge, there are a number of basic, low-cost steps that companies can take to secure consumer data.

Experts largely agree that a firewall—a network security system, either hardware- or software-based, that controls incoming and outgoing network traffic—should be the first line of defense against hackers and malicious software. Antivirus and antispyware software should make up the second line, scanning for and removing programs and code that can damage computers or compromise the valuable data they store.

The third line of defense should be multifactor authentication. Multifactor authentication is a security system that requires more than one method to verify a customer's identity before allowing him to log in to an account, access information, or perform some other transaction. The goal of multifactor authentication is to create a layered defense; if one factor is compromised, the hacker still has at least one more barrier to breach before breaking into the system.

Multifactor authentication can involve any combination of the following elements:

• knowledge factors, such as user names or IDs, passwords, PINs, and the answers to secret questions;

• location factors—users' current locations, based on GPS tracking of their smartphones or automatic number identification (more commonly known as caller ID), or, in the case of Web traffic, their IP addresses;

• time factors, such as verification of employee IDs against work schedules (also, a bank customer can't physically use an ATM card in America and then in China 15 minutes later); and

Larry Ponemon, founder and chairman of the Ponemon Institute, a provider of independent research on privacy, data protection, and information security policy, calls multifactor authentication "absolutely critical" for a secure customer experience. Not having it "is a recipe for disaster."

"You need to authenticate on more than one platform," Ponemon adds. "Passwords and security questions alone are not secure enough. Personal information is just too readily available, and the answers to the standard questions can be found out too easily."

Thomas Loeser, a former federal cybercrime prosecutor who is now a partner at Seattle law firm Hagens Berman, agrees. "Multifactor authentication provides a huge advantage," he says. "It prevents someone from gaining access to sensitive information just because he has a user name and password, which hackers can easily get."

In 2014, 783 major data breaches in the United States potentially exposed hundreds of millions of customer records to hackers, according to information compiled by the Identity Theft Resource Center (ITRC). Many of them "could have been avoided with multifactor authentication," Loeser states without hesitation.

Leslie Ament, senior vice president and principal analyst at Hypatia Research, called multifactor authentication "a highly necessary component in protecting customers from fraud as well as for managing business risk."

Editor's Note: Part 1 of this series, which identified different types of enterprise security holes, appeared in the May issue of CRM magazine. Read it here.

destinationCRM.com is dedicated to providing Customer Relationship Management product and service information in a timely manner to connect decision makers and CRM industry providers now and into the future.